Port MASTG test 0039 (by @guardsquare)

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md

@@ -0,0 +1,27 @@
+---
+title: Debuggable Flag Not Disabled in the AndroidManifest
+platform: android
+id: MASTG-TEST-0x39-1
+type: [static]
+weakness: MASWE-0067
+---
+
+## Overview
+
+This test case checks if the application has the debuggable flag set in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application.
+
+!!! note Other ways to debug the application
+    Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging.
+
+## Steps
+
+1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121.
+2. If the output of @MASTG-TOOL-0121 contains `application-debuggable`, the app has the debuggable flag set.
+
+## Observation
+
+The output should contain the contents of the AndroidManifest.xml.
+
+## Evaluation
+
+The test case fails if the debuggable flag is set.

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md

@@ -0,0 +1,31 @@
+---
+title: Debugging enabled for WebViews
+platform: android
+id: MASTG-TEST-0x39-2
+type: [static]
+weakness: MASWE-0067
+---
+
+## Overview
+
+To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)).
+
+Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews.
+
+!!! note Other ways to debug the application
+    Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check
+    1. if it is set to true, and
+    2. if the API call can be executed during runtime.
+
+## Observation
+
+The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime.
+
+## Evaluation
+
+The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled.

tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md

@@ -7,6 +7,9 @@ platform: android
 title: Testing whether the App is Debuggable
 masvs_v1_levels:
 - R
+status: deprecated
+covered_by: [MASTG-TEST-0x39-1,MASTG-TEST-0x39-2]
+deprecation_note: New version available in MASTG V2
 ---
 
 ## Overview

tools/android/MASTG-TOOL-0121.md

@@ -0,0 +1,31 @@
+---
+title: aapt2
+platform: android
+source: https://developer.android.com/tools/aapt2
+---
+
+Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder.
+
+It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file.
+
+The permissions of an APK file can be viewed with:
+
+```bash
+$ aapt d permissions app-x86-debug.apk
+package: sg.vp.owasp_mobile.omtg_android
+uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE'
+uses-permission: name='android.permission.INTERNET'
+```
+
+Viewing all contents of the AndroidManifest can be performed with:
+
+```bash
+$ aapt d badging app-x86-debug.apk
+package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14'
+sdkVersion:'23'
+targetSdkVersion:'34'
+uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE'
+uses-permission: name='android.permission.INTERNET'
+application-label:'OMTG Android'
+...
+```